SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XII - Issue #22

March 19, 2010

Kevin Mandia just did an incredible webcast on the Advanced Persistent Threat and how it works and what you can do about it. If you work anywhere in the critical infrastructure or supporting the critical infrastructure, you'll want to know this. He's doing it again at the Control Systems Summit in ten days. http://www.sans.org/scada-security-summit-2010/ That's also where you'll hear how NERC CIP compliance will be transformed over the next months.

Alan

---

TOP OF THE NEWS

Revised Rockefeller-Snowe Cyber Security Bill Mandates Public-Private Collaboration
25 Percent of UK Schoolchildren Admit to Accessing Others' Online Accounts
Lords Approve Controversial Digital Economy Bill

THE REST OF THE WEEK'S NEWS

Interview With Former Pennsylvania CISO Maley
Spammers Go After Facebook Users
Former Employee Disables 100+ Cars Via Computer
Malware Found on Calgary Medical Clinic Computer
Report Says Internet Piracy Will Cost EU 1.2 Million Jobs by 2015
Second Vodafone HTC Magic Found to be Infected with Malware
Troyak Playing Hide-and-Seek
SEC Complaint Alleges Pump-and-Dump Scheme

---

*********** Sponsored By Trusted Computer Solutions ***********
Is your IT organization struggling to keep your enterprise servers in compliance with security policy? Could your organization pass a surprise security audit today? Security Blanket performs fast, consistent, and repeatable operating system lock down to industry or custom security settings in minutes, not days. Audit ready, all the time! Try Security Blanket for FREE.
http://www.sans.org/info/56744
*************************************************************************

TRAINING UPDATE

-- SANS Northern Virginia Bootcamp 2010, April 6-13 Bonus evening presentations include Safe Surfing: How to Surf the Net Without Getting PWND
http://www.sans.org/reston-2010/

-- SANS Security West 2010, San Diego, May 7-15, 2010 23 courses. Bonus evening presentations include Killer Bee: Exploiting ZigBee and the Kinetic World
http://www.sans.org/security-west-2010/

-- SANSFIRE 2010, Baltimore, June 6-14, 2010 38 courses. Bonus evening presentations include Software Security Street Fighting Style and The Verizon Data Breach Investigations Report
http://www.sans.org/sansfire-2010/

-- SANSFIRE Rocky Mountain 2010, Denver, July 12-17, 2010 8 courses. Bonus evening presentations include Hiding in Plain Sight: Forensic techniques to Counter the Advanced Persistent Threat
http://www.sans.org/rocky-mountain-2010/

-- SANS Boston 2010, June 6-14, 2010 11 courses
http://www.sans.org/boston-2010/

Looking for training in your own community? http://sans.org/community/

Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/spring09.php

Plus Dubai, Geneva, Toronto, Singapore and Amsterdam all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

*************************************************************************

---

TOP OF THE NEWS

Revised Rockefeller-Snowe Cyber Security Bill mandates Public-Private Collaboration (March 17 & 18, 2010)

The latest version of a Senate cyber security bill removes a provision that granted the President power to shut down Internet access and transit if the country comes under cyber attack, although the President would still have the authority to declare a cyber security emergency. The bill also calls for government officials to work with the owners and operators of critical infrastructure systems to establish a cyber attack response plan. The legislation is sponsored by Senators Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine). This is the fourth revision of the legislation, which was originally introduced last April.
-http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articl
eID=224000085
-http://www.nextgov.com/nextgov/ng_20100317_1762.php?oref=topnews
-http://www.scmagazineus.com/revised-draft-of-cybersecurity-act-introduced-in-sen
ate/article/166049/
[Editor's Note (Paller): This bill is a harbinger of huge changes in cyber security - especially the shift from anyone being able to call him or herself a security "expert" and in transforming colleges from their current state of ignoring secure coding in their core courses to leading the nation in ensuring every graduate who learns coding knows how to write code securely. A real triumph of bipartisanship. ]

25 Percent of UK Schoolchildren Admit to Accessing Others' Online Accounts (March 18, 2010)

One quarter of school-aged children in the UK admitted to accessing other people's Facebook or web-based email accounts. Seventy-eight percent of the students said that breaking into others' accounts was wrong and 53 percent said they believed it was illegal. The reasons most often given for the unauthorized account access were just for fun and mischief. Twenty percent of the students believed they could make money breaking into others' accounts, and five percent envisioned making a career out of cyber attacks.
-http://www.theregister.co.uk/2010/03/18/uk_teenage_hacker_survey/
[Editor's Note (Schultz): Dismal as these findings may be, they are valuable in showing us just how far we have to go regarding cybersecurity education for young people. ]

Lords Approve Controversial Digital Economy Bill (March 16 & 18, 2010)

The UK House of Lords has approved the Digital Economy Bill; the House of Commons is expected to approve the bill before the general election. The bill imposes penalties for illegal filesharing, including giving the government the power to block websites. The bill would also suspend Internet accounts of people who persistently share digital content in violation of copyright law. British Telecom, Google and Facebook have spoken out against the provision, proposing that illegal filesharers be fined instead.
-http://news.bbc.co.uk/2/hi/uk_news/politics/8569750.stm
-http://www.eweekeurope.co.uk/news/digital-economy-bill-approved-by-lords-5919
[Editor's Note (Honan): The UK Security Services are concerned that the introduction of this bill will drive more and more people to using encryption and anonymising services to hide their activity thus making it more difficult to track cyber criminals and terrorists.
-http://www.timesonline.co.uk/tol/news/uk/crime/article6885923.ece]

---

*************************** Sponsored Links ***************************
1) SANS Inquires... Which information security products, services and providers would you like to hear more about? Answer a short 3 question survey and be automatically entered to win a $50 Amazon gift card. http://www.sans.org/info/56749

2) Attend the first European event focused at Forensics and Incident Response Summit April 19-20 in London. http://www.sans.org/info/56754

3) Register for Department of Homeland Security Control Systems Cyber Security Trainings. SANS Process Control and SCADA Summit March 29-30. http://www.sans.org/info/56759
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

Interview With Former Pennsylvania CISO Maley (March 18, 2010)

Robert Maley, the former CISO of Pennsylvania who lost his job after he discussed a cyber security incident on a panel at the RSA conference, says that while what he said did not put state IT systems at risk, he was wrong to have spoken of the incident and he will not appeal his firing. In an interview with Jaikumar Vijayan, Maley describes his reasons for talking about the incident, and explains that the vulnerability in the PennDOT IT system has been fixed. He does not regret having spoken and says that he "hope
[s ]
we can find ways that we can share incidents like this successfully, ...
[that ]
we can be more open about what's really going on to benefit the good guys, because I think the bad guys have no problem sharing information with each other."
-http://www.computerworld.com/s/article/9173078/Fired_CISO_says_his_comments_neve
r_put_Penn._s_data_at_risk_?taxonomyId=84
[Editor's Note (Pescatore): This one is pretty cut and dried: he admits consciously violating a policy where he understood the consequences. Doing it this way actually makes it *harder* for others to share information - more fear of punitive reaction. ]

Spammers Go After Facebook Users (March 18, 2010)

Spammers have been targeting Facebook members with data-stealing malware. The malicious messages appear to come from legitimate senders, but the return address is spoofed. The messages tell recipients that their Facebook passwords have been reset and that they need to download an attachment that contains the new password. Although many users may know by now that websites would not reset passwords and email the new ones, because Facebook's user base is so large, the attackers appear to be hoping that at least some will fall for the ruse.
-http://www.pcworld.com/businesscenter/article/191847/facebook_users_targeted_in_
massive_spam_run.html
-http://news.cnet.com/8301-27080_3-20000682-245.html

Former Employee Disables 100+ Cars Via Computer (March 17, 2010)

Police in Austin, Texas have arrested Omar Ramos-Lopez for allegedly accessing a computer system at Texas Auto Center and disabling the ignition systems on more than 100 cars. Ramos-Lopez was laid off from the Texas Auto Center in February. The company uses a system to disable cars that have not been paid for; a device installed under the car's hood allows someone with access to the computer system to disable the vehicle's ignition system or start the car's horn honking, which can be stopped only by removing the battery. The company received reports of problems for five days before resetting the system's password. Examination of access logs led investigators to Ramos-Lopez. Although his account was disabled when he was let go, he used another employee's account to access the system.
-http://www.wired.com/threatlevel/2010/03/hacker-bricks-cars/
-http://www.msnbc.msn.com/id/35919648/ns/technology_and_science-security/

Malware Found on Calgary Medical Clinic Computer (March 17 & 18, 2010)

The University of Calgary Sunridge Medical Clinic has sent letters to more than 4,700 patients to let them know that their personal information may have been compromised. A computer that holds copies of faxes, billing data and medical legal reports was found to be infected with two pieces of malware. The Alberta privacy commissioner is investigating the incident. Last year, the same clinic discovered that information shared over a University of Calgary intranet was accessible to outside users.
-http://www.calgarysun.com/news/alberta/2010/03/17/13261481.html
-http://www.calgaryherald.com/news/Computer+virus+spurs+patient+privacy+scare/269
5995/story.html

Report Says Internet Piracy Will Cost EU 1.2 Million Jobs by 2015 (March 17 & 18, 2010)

A report conducted on behalf of the International Chamber of Commerce says that illegal filesharing could cost European countries 1.2 million jobs and 240 billion euros over the next five years. According to the report, the UK alone lost 1.4 billion euros in the creative industries in 2008, all due to piracy. Trades Union Congress (TUC) General Secretary Brendan Barber said that "if there were ever proof needed to demonstrate why the Digital Economy Bill is imperative for the protection of our creative industries, this report is it." The report gathered data from European Union countries, the World Intellectual Property Organization, and Eurostat. The analysis describes a worst case scenario based on consumer web traffic increasing 24 percent annually.
-http://news.bbc.co.uk/2/hi/technology/8573162.stm
-http://www.computerweekly.com/Articles/2010/03/18/240644/Online-piracy-could-cos
t-240bn-and-1.2-million-jobs-by.htm

Second Vodafone HTC Magic Found to be Infected with Malware (March 17 & 18, 2010)

For the second time this month, a new Android-based Vodaphone HTC Magic has been found to be infected with malware, including the Mariposa botnet client and a Win32/AutoRun worm. Vodafone is investigating the incident, which appears to be confined to Spain. The first infected phone was detected by researchers at PandaLabs. Both phones were purchased directly through Vodafone. The first incident was explained by the phone possibly being infected by a user who returned it, but the appearance of a second infected phone raises more questions.
-http://news.cnet.com/8301-27080_3-20000676-245.html
-http://www.v3.co.uk/v3/news/2259758/vodafone-ships-infected-handset
Update: Vodafone Spain admits 3,000 smartphones shipped with Mariposa
-http://www.theregister.co.uk/2010/03/19/voda_spain_mariposa_latest/?

Troyak Playing Hide-and-Seek (March 17, 2010)

Internet service provider (ISP) Troyak is fighting hard to stay alive after its upstream providers severed its connectivity. Troyak is notorious for supporting traffic associated with cybercrime; in particular, Troyak and another ISP, Group 3, supported 90 of the command and control servers associated with the Zeus botnet. Troyak has been bouncing from ISP to ISP to find a way to carry its traffic, but this is becoming more and more difficult, as its reputation becomes more widely known. Researchers have noted that some of the traffic that flowed over Troyak is now being carried by an entity called SAINTVPN that claims to be in St. Petersburg, Russia. There is speculation that Troyak's operators have regrouped under a new name.
-http://www.computerworld.com/s/article/9172198/After_weeklong_fight_rogue_ISP_Tr
oyak_struggles_for_life?source=CTWNLE_nlt_pm_2010-03-17
[Editor's Note (Pescatore): Take-downs aren't the answer to bot nets or malware, but ISPs having voluntary standards that require all ISPs to drop obviously criminal traffic originating from their service or face de-peering is badly, badly needed. Imagine if on the power grid, any electrical provider could start pumping 330v 40hz electricity onto the grid. ]

SEC Complaint Alleges Pump-and-Dump Scheme (March 16, 2010)

A federal judge has granted the US Securities and Exchange Commission's (SEC) request to freeze the assets of a St. Petersburg-based stock trading operation believed to have been involved in a pump-and-dump scheme. Broco Investments allegedly purchased certain stocks through legitimate trading accounts, then allegedly used hijacked Scottrade accounts to place unauthorized buy orders at high prices, artificially inflating the value of the stocks, which they then sold.
-http://www.wired.com/threatlevel/2010/03/manipulated-stock-prices/
-http://www.theregister.co.uk/2010/03/16/pump_and_dump_hacking/
-http://www.sec.gov/litigation/complaints/2010/comp21452.pdf

---

**********************************************************************
The Editorial Board of SANS NewsBites


Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)


John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.


Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.


Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.


Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.


Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.


Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.


Alan Paller is director of research at the SANS Institute


Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.


Clint Kreitner is the founding President and CEO of The Center for Internet Security.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/